Embed Size (px)
Citation preview
ALYNE CONTENT LIBRARY OVERVIEW OF CONTROL AND ASSESSMENT SETS
UPDATED FEB 2018
ALYNE LIBRARY SUMMARY
897 64 2
31 563 44
Control Statements defined
Control Sets available
Languages (EN-US, EN-GB, DE)
Standards, Laws and Regulation mapped
Interlinked risks associated with Control Statements
Predefined Assessment Templates
ALYNE LIBRARY TOPIC OVERVIEW All Control Statements are aligned with a topic in the Alyne Library. The following overview provides a description of the scope of each Library topic.
ALYNE LIBRARY TOPIC OVERVIEWAPPLICATION GOVERNANCEControl Statements defining mature practices for governing applications from go live to decommissioning. (32 Control Statements)
ACCESS MANAGEMENT CHANGE MANAGEMENT DATA VALIDATION
DECOMMISSIONING DEPLOYMENT GENERAL PRINCIPLES INCIDENT MANAGEMENT
ISSUE MANAGEMENT ROLES AND RESPONSIBILITIES SCOPE SERVICE LEVEL AGREEMENTS
USER SUPPORT
ARCHITECTUREControl Statements for defining and managing IT architecture and integrating with the organisation's strategic development. (5 Control Statements)
ARCHITECTURE STRATEGY
ARCHIVING AND DATA RETENTIONControl Statements for retaining physical and digital data in line with functional and legal requirements. (12 Control Statements)
DATA LIFECYCLE GENERAL PRINCIPLES PHYSICAL DATA ARCHIVING
ALYNE LIBRARY TOPIC OVERVIEWAUDITControl Statements to define internal and external audits and integrate these with the corporate governance practices of the organisation. (18 Control Statements)
EXTERNAL AUDIT GENERAL PRINCIPLES PROCESS
ROLES AND RESPONSIBILITIES
CLOUD SERVICESControl Statements for safely and effectively integrating and managing cloud services in the enterprise environment. (9 Controls Statements)
CLOUD USAGE ROLES AND RESPONSIBILITIES
BUSINESS CONTINUITY MANAGEMENTControl Statements to establish a mature business continuity framework, manage resilience and test the organisation's preparedness. (84 Control Statements)
ALTERNATE SITES BUSINESS CONTINUITY PLANS BUSINESS CONTINUITY RESPONSE CENTRE
BUSINESS IMPACT ASSESSMENT COMMUNICATION CONTINUITY STRATEGIES
GENERAL PRINCIPLES HUMAN RESOURCES CONTINUITY MAINTENANCE
SUCCESSION PLANNING TESTING AND TRAININGROLES AND RESPONSIBILITIES
ALYNE LIBRARY TOPIC OVERVIEWCOMMUNICATION TECHNOLOGYControl Statements to securely manage communication technology. (10 Controls Statements)
EMAIL AND MESSAGING MOBILE DEVICE MANAGEMENT
CRYPTOGRAPHYControl Statements to implement and manage the use of cryptography within modern security management structures. (16 Controls Statements)
DESIGN GENERAL PRINCIPLES
COMPLIANCE MANAGEMENTControl Statements to establish the lean but effective management of legal and regulatory requirements. (11 Controls Statements)
COMPLIANCE REPORTING ROLES AND RESPONSIBILITIES
ALYNE LIBRARY TOPIC OVERVIEWDATA LOSS PREVENTIONControl Statements to establish a data loss prevention capability within the organisation. (11 Control Statements)
CRITICAL INFORMATION BLOCKING DETECTION RULES GENERAL PRINCIPLES
ROLES AND RESPONSIBILITIES
FRAUD PREVENTIONControl Statements for safely and effectively integrating and managing cloud services in the enterprise environment. (15 Controls)
GENERAL PRINCIPLES
WHISTLEBLOWING
ROLES AND RESPONSIBILITIES
DATA PROTECTION AND PRIVACYControl Statements to establish the mature business continuity framework, manage resilience and test the organisation's preparedness. (97 Control Statements)
ACCESS REQUESTS COMPLAINTS CROSS BORDER DATA FLOWS DATA BREACHES
DATA DISPOSAL DATA PRIVACY PRINCIPLES DATA USAGE EXTERNAL PRIVACY POLICY
EXTERNAL PROCESSING OF PII MARKETING
1100101001110101
1100101001110101
1100101001110101
1100101001110101
1100101001110101
10001101
10001101
10001101
1101101
1101101
1101101
1101101
1101101
11011011101101
10001101
10001101INFORMATION WARNING RESPONSE
PII USAGE INVENTORY
PHYSICAL DATA PROTECTION PRINTING ROLES AND RESPONSIBILITIES TEST DATA
ALYNE LIBRARY TOPIC OVERVIEWHUMAN RESOURCES MANAGEMENTControl Statements to effectively manage recruitment, background checks, employee performance and HR related security. (10 Control Statements)
BACKGROUND CHECKS CAPABILITY MANAGEMENT CHANGE MANAGEMENT
ROLES AND RESPONSIBILITIES
INFORMATION CLASSIFICATIONControl Statements to effectively classify information to govern the appropriate usage of information assets throughout the organisation. (12 Control Statements)
CLASSIFICATION
LABELLING
INAPPROPRIATE INFORMATION
IDENTITY AND ACCESS MANAGEMENTControl Statements to manage identity creation, provisioning of access, role management, review, segregation of duties and revocation. (56 Control Statements)
ACCESS REQUESTS ACCOUNT DEACTIVATION AUTHENTICATION DIGITAL CERTIFICATES
GENERAL PRINCIPLES IDENTITY MANAGEMENT LEAVING THE ORGANISATION LOGGING
NETWORK ACCESS PRIVILEGED ACCESS MANAGEMENT ROLE MANAGEMENT
CONFIDENTIALITY DISCIPLINARY PROCESS
ROLES AND RESPONSIBILITIES SEGREGATION OF DUTIES SINGLE SIGN ON
USER ACCESS REVIEWS USER LIFECYCLE VENDOR MANAGEMENT
ALYNE LIBRARY TOPIC OVERVIEWINFRASTRUCTURE MANAGEMENTControl Statements to manage the organisation's IT infrastructure. (12 Control Statements)
CAPACITY MANAGEMENT CHANGE MANAGEMENT ROLES AND RESPONSIBILITIES
NETWORK MANAGEMENTControl Statements to manage the organisation's network assets. (7 Control Statements)
GENERAL PRINCIPLES
IT ASSET MANAGEMENTControl Statements to manage the organisation's IT assets. (6 Control Statements)
ROLES AND RESPONSIBILITIES
+
+
ALYNE LIBRARY TOPIC OVERVIEWNON-DISCLOSURE AGREEMENTSControl Statements to document a non-disclosure agreement between the organisation and its members. (22 Control Statements)
CONFIDENTIALITY DATA PRIVACY GENERAL PRINCIPLES
OUTSOURCINGControl Statements defining initiation, management and transition of outsourcing agreements including special requirements for outsourcing material business processes. (18 Control Statements)
BUSINESS PROCESS OUTSOURCING
ROLES AND RESPONSIBILITIES
GENERAL PRINCIPLES
OPERATIONS AND ORGANISATIONControl Statements to govern a mature organisation from defining key responsibilities to documenting policies, procedures and controls. (24 Control Statements)
CHINESE WALLS COMPLAINTS MANAGEMENT GENERAL PRINCIPLES IT STRATEGY
MERGERS AND ACQUISITIONS POLICY MANAGEMENT ROLES AND RESPONSIBILITIES
VENDOR MANAGEMENT
INTELLECTUAL PROPERTY
OUTSOURCING MONITORING
ALYNE LIBRARY TOPIC OVERVIEWPASSWORD MANAGEMENTControl Statements to define and manage safe passwords for users, privileged access and technical accounts. (27 Control Statements)
PRIVILEGED ACCESS PASSWORDSPASSWORD HISTORYGENERAL PRINCIPLES
PROCESS MANAGEMENTControl Statements to document the organisation's key processes consistently. (11 Control Statements)
ROLES AND RESPONSIBILITIES
GENERAL PRINCIPLES
PHYSICAL SECURITYControl Statements to manage physical security in offices, data centres and technology rooms as well as for personnel.(86 Control Statements)
ATM SECURITY DATA CENTRE SECURITY EXECUTIVE PROTECTION
HEALTH AND SAFETY IT PROTECTION OFFICE SECURITY PHYSICAL SECURITY MONITORING
ROLES AND RESPONSIBILITIES
SYSTEM ACCOUNT PASSWORDS USER PASSWORDS
TECHNOLOGY ROOM SECURITY TRAVEL SECURITY
VIDEO SURVEILLANCE
PROCESS MODELLING
ALYNE LIBRARY TOPIC OVERVIEWPROCUREMENTControl Statements to manage procurement processes and prevent fraudulent use of assets including controls to manage a BYOD program. (46 Control Statements)
CODE OF CONDUCTBRING YOUR OWN DEVICEBIDS
RISK MANAGEMENTControl Statements to define mature and consistent management of risks for the organisation and providing executives with informed and risk aware decision points. (34 Control Statements)
THREE LINES OF DEFENCE
GENERAL PRINCIPLES
PROGRAM AND PROJECT MANAGEMENTControl Statements to ensure appropriate governance and management of programs and projects to develop new capabilities.(47 Control Statements)
ANALYSIS BUSINESS CASE CLOSURE DOCUMENTATION FEASIBILITY STUDY
INITIATION METHODOLOGY PROGRAM OR PROJECT PLAN
DOCUMENTATION
END USER DEVICES
PROJECT MANAGEMENT OFFICE REPORTING REQUIREMENTS MANAGEMENT
RISK EVENTS
GENERAL PRINCIPLES PROCESS ROLES AND RESPONSIBILITIES
SEGREGATION OF DUTIES
ROLLOUT AND HANDOVER SOFTWARE SELECTION STAFFING STRUCTURE
ROLES AND RESPONSIBILITIES
ALYNE LIBRARY TOPIC OVERVIEWSECURITY MANAGEMENTControl Statements to establish the core capabilities of security management. (27 Control Statements)
PAYMENT CARDSFINANCIAL SERVICES SECURITYCUSTOMER SECURITY
SOCIAL MEDIAControl Statements to define how the organisation and its members interact with customers over social media. (23 Control Statements)
ROLES AND RESPONSIBILITIES
EMPLOYEE PARTICIPATION
SECURITY MONITORINGControl Statements to define integrated security and event monitoring to provide executives with actionable decision options. (40 Control Statements)
ANTI MALWARE CONFIGURATION MANAGEMENT
LOGGING PATCH MANAGEMENT SECURITY INFORMATION AND EVENT MANAGEMENT
VULNERABILITY MANAGEMENT
GENERAL PRINCIPLES
ROLES AND RESPONSIBILITIES
MODERATION
DENIAL OF SERVICE ATTACKS
SOCIAL MEDIA ISSUE MANAGEMENT
ALYNE LIBRARY TOPIC OVERVIEWSOFTWARE DEVELOPMENTControl Statements to define secure coding and comprehensive testing of software before it is introduced to production. (35 Control Statements)
SECURE DEVELOPMENTDOCUMENTATIONCODE DEVELOPMENT
SUSTAINABILITYControl Statements to define sustainable business practices to engage in an office environment. (6 Control Statements)
WORKPLACE
SOFTWARE LICENSINGControl Statements to establish the effective and legal use of software licenses. (4 Control Statements)
TERMINATIONGENERAL PRINCIPLES
TESTING
ROLES AND RESPONSIBILITIES
SECUREWEB DEVELOPMENT
ALYNE LIBRARY TOPIC OVERVIEWWORKSTATIONS AND SERVERSControl Statements to define the secure and appropriate configuration and usage of workstations and servers. (28 Control Statements)
DATA MANAGEMENTBACKUPSAPPLICATION WHITELISTING GENERAL PRINCIPLES
+
+HARDENING
NETWORK SECURITY USAGE
ALYNE TEMPLATE LIBRARY Control Statements can be grouped as Control Sets or Assessment Sets. Predefined templates are provided with Alyne.
ALYNE BASICS
Control Statementscan be part of one or many
Defines one specific rule in simple and
harmonised language
Title
A very slim and concise control statement.
Control Sets Assessment Sets
Application Governance
Application Governance
can be part of one or many
Provides a set of questions to
measure a specific objective
Groups a set of control statements
for a specific purpose
FCA AND PRA CYBER SECURITY AND
RISK MANAGEMENT
GERMAN / EU DATA PRIVACY
ITSG PROVIDERS OF CRITICAL INFRASTRUCTURE
ITSG TELEMEDIA PROVIDERS
IAM INTEGRATED MATURITY
IAM MANUAL MATURITY
FINNISH DATA PRIVACY
FINNISH TECHNOLOGY RISK MANAGEMENT
AUSTRALIAN PRIVACY PRINCIPLES
BASE DATA PRIVACY
ADVANCED BCM
BUSINESS CONTINUITY MANAGEMENT BASICS
BRING YOUR OWN DEVICE
C2M2 DEPARTMENT OF ENERGY CYBER SECURITY COBIT 4.1 COBIT 5 EXTERNAL DATA
PROCESSING
54.1
ISO 27001:2013 ISMS
MARISK IT GOVERNANCE AND SECURITY
MAS TECHNOLOGY RISK MANAGEMENT PCI DSS PERSONAL CYBER
CHECKUS FED INFORMATION SECURITY STANDARD
UK CYBER ESSENTIALS
2-41101001
70 204 110 62 21 405 498 513 222
206 252 199 465 443 148 83 64
437 279 389 227 33 268 149
ALYNE ASSESSMENT SET TEMPLATES
UK DATA PRIVACY
175
COBIT 4.1 HIGH MATURITY
COBIT 4.1 MEDIUM MATURITY
DATA PRIVACY POST INCIDENT IMPROVEMENT
EXTERNAL DATA PROCESSING B2B2C
EXTERNAL DATA PROCESSING HIGH RISK
EXTERNAL DATA PROCESSING LOW RISK
COBIT 5 HIGH MATURITY
COBIT 5 MEDIUM MATURITY
APPLICATION GOVERNANCE
AUSTRALIAN DATA PRIVACY
BASE DATA PRIVACY
ADVANCED BCM
BCM BASICS
BRING YOUR OWN DEVICE
BSI BASELINE PROTECTION
C2M2 DOE CYBER SECURITY
CLOUD SERVICE PROVIDERS
EXTERNAL DATA PROCESSING MEDIUM RISK
FCA AND PRA CYBER SECURITY AND RISK
MANAGEMENT
FINNISH DATA PRIVACY
FINNISH TECHNOLOGY RISK MANAGEMENT FOR FS
GERMAN / EU PRIVACY HIGH MATURITY
GERMAN / EU PRIVACY MEDIUM MATURITY
ITSG CRITICAL INFRASTRUCTURE
PROVIDERS
ITSG TELEMEDIA PROVIDERS
4.1 4.1
1101001
5 5
80 70 201 110 62 21 535 400 77
495 495 509 509 64 222 222 222
222 203 197 455 282 234 439 148
ALYNE ASSESSMENT SET TEMPLATES
ALYNE ASSESSMENT SET TEMPLATES
PCI DSS LEVEL 2-4 PERSONAL CYBER CHECK
UK CYBER ESSENTIALS
SOCIAL MEDIA MANAGEMENT
US FED INFORMATION SECURITY STANDARD
IAM INTEGRATED MATURITY
IAM MANUAL MATURITY
ISO 31000:2009 RISK MANAGEMENT
ISO27001:2013 HIGH MATURITY
ISO27001:2013 MEDIUM MATURITY
MARISK IT GOVERNANCE AND SECURITY
MAS TECHNOLOGY RISK MANAGEMENT
NON-DISCLOSURE AGREEMENT PCI DSS LEVEL 1
UK DATA PRIVACY
2-4
1101001
11101001
83 64 25 433 433 278 384 22 226
226 32 23 268 149 175
PSD2 SECURITY MEASURES FOR
OPERATIONAL AND SECURITY RISKS
154
BAIT - GERMAN BANKING REGULATORY
REQUIREMENTS FOR THE IT
130
ASD PROTECT ESSENTIAL EIGHT
21
OWASP TOP 10 2013
43
TOP10
STANDARDS, LAWS & REGULATIONS Our content is mapped to Standards, Laws & Regulations of major global markets.
STANDARDS, LAWS & REGULATIONS MAPPINGSStandard Version Origin
ISO/IEC 27001:2005 Information technology – Security techniques – Information security management systems – Requirements
11 - 2005 ISO
ISO/IEC 27001:2013 Information technology – Security techniques – Information security management systems – Requirements
10 - 2013 ISO
BDSG Bundesdatenschutzgesetz / German Federal Data Protection Act
2009 Germany
EU Directive 95/46/EC Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data
95 EU
COBIT 4.1 4.1 IT Governance Institute
COBIT 5 5 IT Governance Institute
PCI DSS v3.1 Payment Card Industry Data Security Standard
3.1 Security Standards Council
MaRisk BA (10/2012) Minimum Requirements for Risk Management
10 - 2012 German Federal Financial Supervisory Authority (BaFin)
APP (AUS) Australian Privacy Principles, Schedule 1, Privacy Act 1988
1988 Australia
COSO Committee of Sponsoring Organizations of the Treadway Commission - Internal Control — Integrated Framework
05 - 2013 Committee of Sponsoring Organizations of the Treadway Commission
STANDARDS, LAWS & REGULATION MAPPINGSStandard Version Origin
ISO 22301:2012 Societal security — Business continuity management systems — Requirements
2012 ISO
TKG Telekommunikationsgesetz / German Telecommunications Law
12 - 2015 Germany
TMG Telemediengesetz / German Telemedia Law
07 - 2015 Germany
SGB Sozialgesetzbuch / German Code of Social Law
01 - 1983 Germany
AO Abgabenordnung / German Tax Code
12 - 2015 Germany
BSI Grundschutz IT-Grundschutz Catalogues from the German Federal Office for Information Security
14. Revision BSI Germany
UK Cyber Essentials Cyber Essentials Scheme: Assurance Framework
02 - 2015 UK
UK FCA Financial Crime: A Guide for Firms 04 - 2015 UK
UK Privacy Act 1998 1998 c.29 UK
NIST Cyber security 2014 National Institute of Standards and Technology: Framework for Improving Critical Infrastructure Cybersecurity
02 - 2014 USA
GOBS Grundsätze ordnungsmäßiger DV-gestützter Buchführungssysteme / Generally accepted principles of computerised accounting systems
7. November 1995 - IV A 8 - S 0316 - 52/95- BStBl 1995 I S. 738
Germany
STANDARDS, LAWS & REGULATION MAPPINGSStandard Version Origin
HGB Handelsgesetzbuch / German Trade Law
11 - 2015 Germany
Fed Guideline IS Federal Reserve System: Interagency Guidelines Establishing Information Security Standards
08 - 2013 USA
MAS TRMG Monetary Authority of Singapore: Technology Risk Management Guidelines
06 - 2013 Singapore
FIN-FSA OpRisk Financial Supervisory Authority: Management of operational risk in supervised entities of the financial sector
08 - 2014 Finland
Finnish Personal Data Act 523/1999 Finland
ISO 31000:2009 Risk Management - Principles and Guidelines
2009 ISO
GDPR General Data Protection Regulation
2016 EU
ASD Protect Essential Eight 2017 Australia
BAIT German banking regulatory requirements for the IT
2017 Germany
PSD2 Security Measures for Operational and Security Risks 12 - 2017 EU
OWASP TOP 10 2013Guidelines for secure coding
2013 OWASP
This document contains general information on Alyne only and should not be considered a basis for business or risk related decisions. Information contained herein is not consultative, advisory, a legal contract or a binding offer. Decisions based on this information shall be made at the reader’s own risk. Alyne GmbH will not be liable for any statements made in this document.
About Alyne Alyne GmbH provides Software as a Service solutions to businesses in the area of Cyber Security, Risk Management and Compliance based out of Munich, Germany.
Alyne is a registered trademark of the Alyne GmbH, Hiltenspergerstr. 35, 80798, Company Registry Number HRB 220987. © 2018 Alyne GmbH
